Beaumont describes the RayV Lite as part of a broader trend she calls the “domestication of tools”: devices like the Chip whisperer and Hacker RF Technological advances have made electromagnetic or radio-based hacking techniques much cheaper and more accessible. She expects the RayV Lite to do the same for lasers. “It’s significant,” says Adam Laurie, a veteran hardware hacker and current head of product security at electric vehicle charging company Alpitronic, who reviewed Beaumont and Trowell’s laser hacking work. “It moves tools from the academic or state actor platform, which are super expensive, into the garage, where the really innovative stuff happens.”
While building the RayV Lite, Beaumont and Trowell focused on two distinct laser hacking methods. One is laser fault injection, or LFI, which uses a short burst of light to alter the charges of a processor’s transistors, “flipping bits” from 1 to 0 or vice versa. In some cases, carefully triggering those bit flips can cause much larger effects. In one car chip Beaumont tested, for example, poking a laser into the chip at a certain time can bypass a security check that puts the chip’s firmware into a protected state, leaving it unprotected and allowing him to scan its otherwise obfuscated code for vulnerabilities.
According to Beaumont and Trowell, many cryptocurrency wallets are also vulnerable to forms of LFI, such as the chip failing at the moment it requests a PIN to unlock the cryptographic key and access the owner’s funds. “You remove the chip from the cryptocurrency wallet, hit it with a laser at just the right moment, and it will assume you have the PIN,” Trowell says. “It simply follows the instructions and gives you back the key.”
A second laser hacking technique, known as laser imaging, focuses on monitoring a chip’s architecture and activity in real time by bouncing laser light off it and capturing the results (much like a camera or microscope) for analysis. In Beaumont and Trowell’s work, this was often done with the help of machine learning tools. Because laser light bounces off silicon differently depending on its electrical charge, such a trick allows hackers to map out not just the physical layout of a processor but also the data its transistors store — essentially slicing into the chip to extract clues about the data and code it’s handling, which could include sensitive secrets.
In the first iteration of RayV Lite, Beaumont and Trowell are developing designs for the tool in two different versions, one for each of those two laser hacking techniques. For now, they’re releasing only the laser fault injection model and hope to release the laser logic state imaging version within months. Both will use the same fundamental components and the same DIY cost-cutting tricks. The body of the tool, for example, is made of solid wood.
The RayV Lite is based on an open-source 3D-printable microscope model called OpenFlexure, which uses the flexibility of 3D-printable PLA plastic to achieve precise laser targeting. The target chip is mounted on a chassis affixed to printed plastic levers that are bent to tiny degrees by stepper motors, allowing for tiny, precise movements in three dimensions. With that plastic-bending trick and a laser focused through a lens, Beaumont and Trowell say, the RayV can target transistors—or rather clusters of them—down to the nanometer scale. (PLA plastic wears out, Beaumont admits. But he also notes that the entire body of the RayV Lite can simply be reprinted for a few dollars.)
